Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Exceptions Not Working

We have 40+ XGs for our clients in MS Azure and now one of them wants to block most web activities, except for a handful of sites they use (slack, gitlab, google, and a bunch of others).  The problem is that Exceptions don't seem to work.  I have tried regex and just the simple domain names, no luck.

  1. Created a Policy
  2. Added a bunch of categories and stuff to it, with a default allow at the bottom.
  3. Created Exceptions, adding all the sites they wanted to use.
  4. Used Policy Test as well as created an actual Rule and all the sites are still blocked on the test machine.

What gives?  This firewall OS surprises me more and more every day.



This thread was automatically locked due to age.
Parents
  • NateP,

    make sure to check the scan http inside the firewall rule.

    Also on the web profile, you did select block only for http and not to https (locker icon).

    If you run the policy test, what it the result?

    Thanks

  • lferrara said:
    make sure to check the scan http inside the firewall rule.

    Thanks.  I was not aware of the HTTP vs HTTPS option in the policies.  I will give that a shot.  I also was trying to be careful of the scanning options in the rule during testing, since this is a live firewall.  We first turned this on in January (without the exceptions) and it put a ton of extra load the firewall to the point that VPNs were dropping.

  • Still no dice.  Tried policy test with HTTP and also HTTPS in the URL.

    In the exceptions I have just slack.com and also a regex of ^([A-Za-z0-9.-]*\.)?slack\.com

  • Hi NateP,

    Thanks for the screenshots.  I tested this on my side and it worked fine.  Is your slack exclusion in the same A Exceptions as your previous screenshots?  I suspect that the exception is not hitting.  Make sure that the exclusion is skipping policy checks and is turned on.

  • Hi  

    Yes, it's in the same list of exclusions, it was just truncated in the # more... list

     

     

    I just can grasp why it's not hitting.  Shouldn't exclusions be global across all policies?  It's hard to say, so far there are several things in the XG that don't make sense logically.  I'm just confused and under pressure from the client's info-sec team to get web access blocked, but didn't want to block everything and then whitelist from there.

  • ^([A-Za-z0-9.-]*\.)?slack\.com\.?/

     

    Shouldn't you have a \.?/ after the com

     

    Also do you have anyother rules that may be higher on the list blocking this?  Country Blocking?

    Respectfully, 

     

    Badrobot

     

Reply Children
No Data